One of my guiding principles is that compliance does not equal security. Compliance isn’t a true representation of how well companies use security to protect themselves. It can be little more than checking all the boxes and telling the auditors what they want to hear. After all, many compromised banks were PCI-compliant, and several breached healthcare organizations were compliant with HIPAA.
I am no fan of compliance for its own sake. The problem with it is that too many companies and auditors don’t dig deeper and think about what, beyond compliance, would really make the company more secure.
Of course, at my company, we often find ourselves needing to come into compliance with various regulations — there’s no avoiding that. Customers expect us to maintain certain levels of compliance, and our bank requires us to be PCI-compliant, since we store and process credit cards. Reaching compliance can be arduous, and even exhausting, but it does have at least one great benefit: It’s a highly useful tool for leveraging change that I, as the security manager, fully endorse but haven’t been able to effect otherwise. In the name of compliance, you often find you can create new policies, implement new processes and deploy new technologies without a fight.
Just recently, months of nagging our IT guys to make sure that all end users’ PCs have up-to-date antivirus software finally came to a happy end when the matter became a compliance issue.
We have been pushing antivirus patches via a management server that monitors the patch status of all clients. The problem was that remote employees could work for long stretches without ever allowing that server to check their antivirus status. Because all of the applications that they use to get their work done are available as software as a service, they never feel a need to establish a secure VPN connection to our network.
The IT guys and I went back and forth on this for months, and we’d probably still be doing so months from now if not for the auditors listing this situation as an “exception” in their findings document for our SSAE 16 Service Organization Control report — a report that is shared with our customers. That’s when several executives got very interested in our VPN requirements. I was able to show them the long string of emails that had passed between me and the IT department on this very subject and — what do you know? — the result was immediate change. We have modified the architecture and securely exposed the management server to the internet so that remote employees are now able to effortlessly communicate with the management server to report status.
Since I had the ear of upper management, I thought it would be a good time to address some other things that I would classify under general hygiene. Too often, I have come across PCs and servers with outdated patches for operating systems and things such as Adobe, Flash and Java. Now, the IT department has been given a mandate from on high to get things in order.
Using compliance shortfalls to upgrade our security practices isn’t unusual. Last year, I was able to use compliance to justify several initiatives, including signing up for a service and buying associated tools that will allow us to establish baseline security configurations for technology assets such as Linux, Windows, Apache, Oracle and firewalls. And relying on findings from our PCI audit related to encryption, I was able to deploy Bitlocker for Windows PCs and File Vault for Apple Macs. PCI regulations state that all credit card information that is stored must be encrypted, and such information can show up anywhere in our company, since many of our employees assist customers, who often provide credit card and other sensitive data even though we advise against it. So now we’re enforcing encryption for 100% of our company-owned PCs. Such widespread use of encryption has a beneficial side effect, since many states now provide a “safe harbor,” meaning that a company that has been breached might not have to notify customers and provide breach remediation services if all the data involved was encrypted.
I have even used compliance to improve our security badges. When I was hired a few years ago, the company used plain white proximity badges. Our badges now include a picture, name and other features that identify the user as an employee or contractor.
I expect more compliance-driven security improvements in the future, since we are seriously considering becoming HIPAA-compliant.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.